Aurelua

Privacy Policy

Last updated 5 May 2026

This Privacy Policy explains how Aurelua ("Aurelua", registration number 2026/344331/07, of the South Africa) collects, uses, shares, and protects your personal information. Our processing of personal information is governed by the Protection of Personal Information Act 4 of 2013 ("POPIA").

1. The information we collect

Account information

  • Name, email address, and (for Sellers) brand name.
  • Phone number — required for WhatsApp checkout and order coordination.
  • Hashed password (we never store your password in plain text).

Order and transaction information

  • Items in your cart, completed orders, and order history.
  • Delivery address.
  • Payment provider, transaction reference, and amount. We do not store full card details — these go directly to our payment provider (Paystack or Ozow).

Seller information

  • Bank-account details (held only for the purpose of paying out sales — never displayed back to Buyers).
  • Business registration / KYC information where required for verified-seller status.
  • Public store content: logo, banner, bio, product photos and descriptions.

Device and usage information

  • IP address, device type, browser, operating system.
  • Pages visited, actions taken, and approximate location (derived from IP).
  • Cookies and similar technologies (see Cookies below).

2. Why we collect it (lawful basis under POPIA)

We collect your personal information to provide our service, in line with the conditions for lawful processing under POPIA:

  • Performance of contract — to create your account, fulfil orders, process payments, and provide support.
  • Legitimate interest — to keep the platform secure, prevent fraud, improve our services, and analyse usage trends.
  • Legal obligation — to comply with tax, financial-services, and consumer-protection laws.
  • Consent — for marketing emails, product updates, and any optional features that ask for it. You can withdraw consent at any time.

3. Who we share it with

We share information with third-party service providers strictly as needed to operate the platform. Each is bound by a data-processing arrangement that limits how they may use the information.

  • Payment providers (Paystack, Ozow) — to process card / instant-EFT transactions and verify payment status.
  • Email delivery (Resend) — to send order confirmations, password resets, and seller notifications.
  • Hosting and infrastructure (Vercel, Render, Cloudflare R2, Neon) — to operate our website, API, image storage, and database.
  • Analytics — limited to aggregate usage stats; we do not sell your personal information.
  • Other Buyers / Sellers — order details (product, quantity, price, delivery address) are shared between Buyer and Seller as needed to fulfil orders.
  • Law enforcement and regulators — when required by law or a valid legal process.

We do not sell your personal information, and we do not share it with advertisers.

4. International transfers

Some of our service providers operate servers outside South Africa (notably in the European Union and United States). When personal information is transferred across borders, we rely on contractual safeguards equivalent to POPIA's protections, as required by section 72.

5. How long we keep your information

  • Account data — for as long as your account is active. We retain core records for up to 5 years after account closure for tax and legal compliance, then we delete or anonymise.
  • Order records — 5 years from order completion (statutory retention period for tax purposes).
  • Marketing preferences — until you opt out, then we keep an unsubscribe record so we don't accidentally re-add you.
  • Logs — typically 90 days, for security and debugging.

6. Your rights under POPIA

You have the right to:

  • Be told what information of yours we hold and why.
  • Access the information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete information we no longer have a lawful basis to keep.
  • Object to processing for direct marketing or based on legitimate interest.
  • Withdraw consent for any processing that relies on consent.
  • Lodge a complaint with the Information Regulator if you believe we have mishandled your information.

To exercise any of these rights, email info@aurelua.com. We respond within 30 days as required by POPIA.

7. Information Officer

Information Officer
The CEO of Aurelua
Email
info@aurelua.com
Phone
+27 21 879 6453
Postal / physical address
282 Tryall Road
Milnerton Rural
Cape Town 7441
South Africa

8. Information Regulator (South Africa)

If you are not satisfied with our response to a complaint, you may contact:

The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg 2001
Email: complaints.IR@justice.gov.za
Website: inforegulator.org.za

9. Security

We use industry-standard practices to protect your information, including HTTPS encryption in transit, encryption at rest for sensitive fields, hashed passwords, and access controls. No system is completely secure — if we ever experience a personal-information breach that affects you, we will notify you and the Information Regulator as required by POPIA section 22.

10. Children

Aurelua is not directed at children under 18 and we do not knowingly collect personal information from minors. If you believe we have collected information from a child, contact us and we will delete it.

11. Cookies

We use a small number of cookies and similar technologies to keep you signed in, remember your cart, and measure aggregate usage. You can manage cookies through your browser settings. Blocking essential cookies may break functionality such as logging in or checking out.

12. Changes to this policy

Material changes will be communicated by email to active accounts at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy questions, email info@aurelua.com. See our Contact page for further details.